Linux on Windows flaw in Windows 10 Anniversary Update
Security flaw just one of many to 'bug' users of Microsoft's Windows 10 Anniversary Update
A new security flaw for users of the Windows 10 Anniversary Update has been found by security researchers. It follows Microsoft's decision to include a Linux subsystem in the recent Windows 10 Anniversary Update.
According to security company CrowdStrike, the main problem stems from the fact that the two kernels have direct access to each other - there's no hypervisors, just two systems with identical access.
The design decision, claims CrowdStrike, has dramatically increased the potential 'attack surface' for hackers looking for ways to crack Windows 10 by, for example, enabling Windows and Linux apps to be modified by each other, by-passing the patches put in place natively.
Code injection is just one example of how a Windows program could attack a Linux app. Once the code is injected, if the infected Linux application makes a call back to Windows, it will be trusted and could trigger any manner of problems.
CrowdStrike has also suggested that savvy users will be able to run Linux versions of apps that have been disabled in Windows - by security conscious systems administrators, for instance - and there's not a lot that the sysadmin can do to prevent that.
Of course, there's a very simple workaround. Don't turn on Linux-BASH on the machine. Plus of course, at the moment, no one has actually done this yet. In other words, the security flaw is currently theoretical with no known exploits found in the wild - yet.
But we do find ourselves wondering why, after the levels of excite over the addition of BASH to Windows, Microsoft couldn't have just waited a little bit longer and thought it through a little bit more... just a bit?
Well, apparently not. Because it appears that the decision was taken deliberately to ensure that the Linux subsystem works at a reasonable speed. In other words, Microsoft admitted that its Hyper-V containers aren't as good, perhaps, as they should be.